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Rewards 
@ Low @ Medium ææ High @ Critical 
$150 $500 $5,000 $20,000 


Our rewards are based on the severity of a vulnerability. HackerOne uses CVSS 3.0 (Common 
Vulnerability Scoring Standard) to calculate severity. Please note, however, that reward decisions 
are up to the discretion of Amazon. Issues may receive a lower severity due to the presence of 
compensating controls and context. 

The amounts shown in the table should be considered the MAXIMUM amounts for each severity 


level, though bonuses may be given at Amazon's discretion. 


SEVERITY Amount (in USD) 
Critical $10,000 - $20,000 
High $1,500 - $5,000 
Medium $350 - $500 

Low $150 
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Last updated on July 31, 2021. View changes 


Policy 


Amazon Vulnerability Research Program (VRP) - Program Policy 
Introduction 


At Amazon, we take security and privacy very seriously. If you believe that you have found a 
security vulnerability that affects any Amazon product or service, please report it to us. You may 
report a vulnerability using the “Submit Report” button on this page. Reports that fall within scope 
of Amazon's Vulnerability Research Program (VRP) are also eligible for a reward. We appreciate 


your efforts in helping protect customer trust and make Amazon more secure. 


For vulnerabilities related to Amazon Web Services (AWS), please visit the AWS Vulnerability 
Reporting page. 


What is VRP? 


Amazon's Vulnerability Research Program (VRP) is an initiative driven and managed by Amazon's 


Information Security team. 


Who Can Participate in the Program 


Amazon customers and security researchers who discover a potential security finding within 


Amazon products or services can report it to the VRP program. 


Amazon employees and contractors, as well as their immediate family members are strictly 


prohibited from participating in the public bounty program. 


How VRP Program Works 


e Security researchers and customers of Amazon are encouraged to report any behavior 
impacting the information security posture of Amazon products and services. If you are 
performing research, please use your own accounts and do not interact with other people's 
accounts or data. 


e Document your findings thoroughly, providing steps to reproduce and send your report to us. * 
Reports with complete vulnerability details, including screenshots or video, are essential for a 


quick response. 
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e We will issue bounty awards for eligible findings. To be eligible for rewards, reports must comply 
with all parts of this policy and you must be the first to report the issue to us. You must be 18 or 
older to be eligible for an award. 


e We will notify you of remediation and may reach out for questions or clarification. You must be 
available to provide additional information if needed by us to reproduce and investigate the 


report. 
e We will work with the affected teams to make necessary improvements and remediation. 
e Qualified researchers who will regularly submit high quality findings can be added to Amazon 


Private Program (invited researchers only). 


Services and Products in Scope 


Bounty eligible findings are limited to following marketplaces and mobile apps: 


(Note: Please check Scopes section for complete details on latest in-scope assets) 
All international retail marketplaces 
e Brazil: amazon.com.br 

e Canada: amazon.ca 

e Mexico: amazon.com.mx 

e United States: amazon.com 

e China: amazon.cn 

e India: amazon.in 

e Japan: amazon.co.jp 

e Singapore: amazon.sg 

e Turkey: amazon.com.tr 

e United Arab Emirates: amazon.ae 
e France: amazon.fr 
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e Netherlands: amazon.nl 

e Spain: amazon.es 

e Sweden: amazon.se 

e United Kingdom: amazon.co.uk 
e Australia: amazon.com.au 


e Android and iOS Retail Apps (MShop) 
Android: com.amazon.mShop.android.shopping 
iOS: amazon-shopping-297606951 


Security issues discovered in the AWS IP Space (https://ip-ranges.amazonaws.com/ip- 
ranges.json) are not in scope for Amazon Vulnerability Research Program. As an infrastructure 
provider, AWS customers operate assets in this space. Discovering and testing against AWS and 
AWS customer assets is strictly out of scope for Amazon Vulnerability Research Program and 


against the AWS AUP (https://aws.amazon.com/aup/). 


You are not authorized to test any asset, domain, or IP address outside the scope of the Amazon 
Vulnerability Research Program. Reports of security findings outside of bounty eligible scope will 
be accepted and handled appropriately. If the researcher is not able to demonstrate the impact on 


bounty eligible assets then that finding will not be considered for the rewards. 


Please note that zero-day vulnerabilities (vulnerabilities that were not previously known to the 
security community) are not eligible for awards unless you identify a zero-day vulnerability on an 
in-scope system more than 30 days after the zero-day vulnerability was disclosed to the security 
community. Additionally, we have an internal team dedicated to addressing zero-day 
vulnerabilities and vulnerabilities that are already known and being tracked by our internal team at 


the time of your report will not be eligible for an award. 


Rules of Engagement 


e Provide details of the vulnerability finding, including information needed to reproduce and 
validate the report 

e Donot attempt to conduct post-exploitation, including modification or destruction of data, and 
interruption or degradation of Amazon services 

e Donotattempt to perform brute-force attacks, denial-of-service attacks, compromise or 


testing of Amazon accounts that are not your own 


https://nackerone.com/amazonvrp?type=team 4/14 


11/11/21, 10:04 PM Amazon Vulnerability Research Program - Bug Bounty Program | HackerOne 


laackerone 


e Do not use automated scanners/tools *Do not threaten or try to extort Amazon. You should not 





act in bad faith and make ransom requests. You should simply report the vulnerability to us. 

e Please make sure to use the User-Agent string amazonvrpresearcher_yourhiusername while 
testing 

e Limited usage of automated scanners/tools is allowed with above User-Agent applied and 
scanners/tools must be configured to not send more than 5 requests per second to any 
particular service 

e Please note, use of scanning tools without the User-agent string 

amazonvrpresearcher_yourhlusername may result in your account/IP getting blocked by 

automated protections. It can take time to reinstate these so please make sure to include it. *If 
you encounter user information that is not your own in the course of your research, please stop 
and report this activity to our team so we can investigate. Please report to us what information 
was accessed and delete the data. Do not save, copy, transfer, or otherwise use this data. 


Continuing to access another person's data may demonstrate a lack of good faith. 


NOTE: Please do not use 3rd party sites when doing testing (for instance, <yourdomains> (@xss.ht) 
- we understand the use case (and value of this testing), but ask that when doing blind XSS (or any) 
testing, that you only utilize assets that you explicitly own (and control) yourself. While we support 
blind XSS (SSRF, etc.) testing, please make sure that all of it goes through domains on you have 


control over. Thanks! 


For other Types of Issues 


e Unknown, suspicious, or fraudulent Purchases, orders, or credit card transactions, suspicious 
password changes, account changes, or potential fraud please contact Customer Service. 
e For Amazon Web Services (AWS) related issues, please report via click here. 


e To report Copyright Infringement related issues, please report via click here. 


Creating Accounts for Vulnerability Research 


Please create accounts using a HackerOne email to help us track security research activity. You 


can create accounts on Amazon by using yourhlusername(@wearehackerone.com 


Also, while testing please forward the string amazonvrpresearcheryourhlusername in your User- 
Agent header. You can create match and replace proxy rule in Burp by going to Proxy >> Options >> 
Match and Replace with the following options: 

Type: Request header 

Match: “User-Agent. *$ 


Replace: User-Agent: amazonvrpresearcheryourhlusername 
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under the Digital Millennium Copyright Act (DMCA) for circumventing technological measures to 


protect the services and applications eligible under this policy. 
As long as you comply with this policy: 


e We consider your security research to be "authorized" under the Computer Fraud and Abuse 
Act. These terms do not provide you with authorization to access company data or another 
person's account. 

e We waive any restrictions in our applicable Terms of Service and Acceptable Use Policy that 
would prohibit your participation in this policy, for the limited purpose of your security research 


under this policy. 


Amazon cannot authorize any activity on third-party products or guarantee they won't pursue 
legal action against you. We aren't responsible for your liability from actions performed on third 


parties. 


Don't do anything illegal or unethical. You are responsible for complying with local laws, 


restrictions, regulations, etc. 


To protect your privacy, we will not, unless served with legal process or to address a violation of 


this policy: 


e Share your PII with third parties 
e Share your research without your permission 


e Share your HackerOne points, or participation without your permission 
If Your Account is Banned or Blocked by Vulnerability Research Activities 


e Follow on-screen instructions when you log in into your Amazon account for recovery 
e Be prepared with a recent card statement available to prove ownership 


e The account will typically be restored within 24 hours 
Research Guidance 


Reference HackerOne guidance on writing quality reports: 


e https://docs.hackerone.com/hackers/quality-reports.html 


e https://www.hacker101.com/sessions/good_reports 


Responsible Disclosure Policy 
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Amazon commits to timely remediation of your findings, and prompt response to relevant 


questions. 


In-Scope Vulnerabilities 


Vulnerability 

Remote Code Execution 

SQL Injection 

XXE 

XSS 

Server-Side Request Forgery 

Directory Traversal - Local File Inclusion 
Authentication/Authorization Bypass (Broken Access Control) 
Privilege Escalation 

Insecure Direct Object Reference 
Misconfiguration 

Web Cache Deception 

CORS Misconfiguration 

CRLF Injection 

Cross Site Request Forgery 

Open Redirect 

Information Disclosure 

Request smuggling 


Mixed Content 


Non-eligible Vulnerabilities 
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Severity Range 


Critical 

High - Critical 
High - Critical 
Medium - High 
Low - Critical 
Medium - High 
Medium - High 


Medium - High 


Medium - Critical 


Low - High 

Low - Medium 
Low - Medium 
Low - Medium 
Low - Medium 
Low - Medium 
Low - Medium 
Low — Medium 


Low 
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2 Clickjacking 
3 Self XSS 


4 Email Spoofing - SPF Records Misconfiguration 


Out-of-Scope Issues 


Security Practices where other mitigating controls exist i.e. missing security headers, etc. 
Social Engineering, Phishing 

Physical Attacks 

Missing Cookie Flags 

CSRF with minimal impact i.e. Login CSRF, Logout CSRF, etc. 
Content Spoofing 

Stack Traces, Path Disclosure, Directory Listings 

SSL/TLS controls where other mitigating controls exist 
Banner Grabbing 

CSV Injection 

Reflected File Download 

Reports on Out of dated browsers 

Reports on outdated version/builds of in-scope Mobile Apps 
DOS/DDOS 

Host header Injection without a demonstrable impact 
Scanner Outputs 

Vulnerabilities on Third-Party Products 

User Enumeration 

Password Complexity 

HTTP Trace Method 


Discovering and testing against AWS customer assets 


Out-of-Scope Assets 


Category Asset 


Physical Amazon Go Mobile Apps, Whole Foods Apps, anything related to Physical Stores will 
Stores be out-of-scope 


AWS All AWS related services and products will be out-of-scope - See AWS security 
reporting at https://aws.amazon.com/security/vulnerability-reporting/ 
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In Scope 


https://smile.amazon.* 

Full list of international TLDs in scope: 
Domain http://smile.amazon.com 

http://smile.amazon.de 

http://smile.amazon.co.uk 


https://flex.amazon.* 

Full list of international TLDs in scope: 
Domain http://flex.amazon.com.mx 

http://flex.amazon.fr 

http://flex.amazon.de 


https://logistics.amazon.* 

Full list of international TLDs in scope: 

http://logistics.amazon.com.mx 
Domain http://logistics.amazon.ca 

http://logistics.amazon.co.jp 

http://logistics.amazon.fr 

http://logistics.amazon.com.au 


https://org.amazon.* 

Full list of international TLDs in scope: 
Domain http://org.amazon.com 

http://org.amazon.de 

http://org.amazon.co.uk 


Domain www.amazon.* 


All international retail marketplaces 


e Brazil: amazon.com.br 

e Canada: amazon.ca 

e Mexico: amazon.com.mx 

e United States: amazon.com 
e China: amazon.cn 

e India: amazon.in 

e Japan: amazon.co.jp 

e Singapore: amazon.sg 

e Turkey: amazon.com.tr 

e United Arab Emirates: amazon.ae 
e France: amazon.fr 
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@=p Critical 


ep Critical 


e@=p Critical 


emp Critical 


© Eligible 


@ Eligible 


© Eligible 
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e Sweden: amazon.se 
e United Kingdom: amazon.co.uk 
e Australia: amazon.com.au 


https://primenow.amazon.* 

Full list of international TLDs in scope: 

http://primenow.amazon.com 

http://primenow.amazon.ca 

Domain http://primenow.amazon.co.jp 
http://primenow.amazon.fr 
http://primenow.amazon.de 
http://primenow.amazon.it 
http://primenow.amazon.es 


http://primenow.amazon.co.uk 


https://pay.amazon.* 
Full list of international TLDs in scope: 
http://pay.amazon.in 
http://pay.amazon.co.jp 

Domain http://pay.amazon.fr 
http://pay.amazon.de 
http://pay.amazon.it 
http://pay.amazon.es 
http://pay.amazon.co.uk 


https://fresh.amazon.* 
Domain Full list of international TLDs in scope: 
http://fresh.amazon.com 


https://photos.amazon.* 
Full list of international TLDs in scope: 
http://photos.amazon.com 
http://photos.amazon.com.br 
http://photos.amazon.ca 
http://photos.amazon.cn 
Domain http://photos.amazon.co.jp 
http://photos.amazon.fr 
http://photos.amazon.de 
http://photos.amazon.it 
http://photos.amazon.es 
http://photos.amazon.co.uk 
http://photos.amazon.com.au 


Domain https://prime.amazon.* 
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@ Critical 


@=p Critical 


@=p Critical 


@=p Critical 
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@ Eligible 


@ Eligible 
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Domain 


Domain 


Domain 


Domain 


Domain 


Domain 


Domain 


Domain 


Domain 


Domain 


Domain 


Domain 


https://music.amazon.com 
Full list of international TLDs in scope: 
http://music.amazon.com 
http://music.amazon.com.br 
http://music.amazon.com.mx 
http://music.amazon.ca 
http://music.amazon.in 
http://music.amazon.co.jp 
http://music.amazon.fr 
http://music.amazon.de 
http://music.amazon.it 
http://music.amazon.es 
http://music.amazon.co.uk 
http://music.amazon.com.au 


https://manufacturing.amazon.* 
Full list of international TLDs in scope: 
http://manufacturing.amazon.com 
https://freight.amazon.* 

Full list of international TLDs in scope: 
http://freight.amazon.com 
http://freight.amazon.de 
http://freight.amazon.co.uk 
https://shopbylook.amazon.* 

Full list of international TLDs in scope: 
http://shopbylook.amazon.com 
chat.amazon.com 
https://affillate-program.amazon.com 
https://track.amazon.com 
https://api.amazon.com 
https://manufacturing.amazon.com 
https://www.amazon.com/dppui/* 


https://www.amazon.com/gp/buy/* 


www.amazon.com/cpe/yourpayments/wallet 
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payments.amazon.* 


All international TLDs in scope: 


e https://payments.amazon.com 
e https://payments.amazon.co.uk 
e https://payments.amazon.co.jp 
e https://payments.amazon.ie 


How to Login: 


e For US, go to https://pay.amazon.com 


Domain e Login with your amazon credentials after selecting æ Critical ©) Eligible 
“Sign-in with your Shoppers amazon account". You 
will be redirected to orders page 
(https://payments.amazon.com/jr/your- 
account/orders) where you can see you Amazon Pay 
transactions. 
e If you do not see any transactions, you need to make 
a transaction using Amazon Pay with a seller. Once 
the transaction is complete, you can find orders and 
transactions in this page. 
e Youcan follow the same steps for other marketplace 
Android: o. E 
com.amazon.mShop.android.shopping @ Critical S Eligible 
Play Store 
iOS: App a v 
297606951 ææ Critical © Eligible 
Store 
Other Other Amazon Retail Sites @ Critical O Ineligible 
Other Other Amazon Retail Mobile Apps @ Critical O Ineligible 
Other Amazon Retail Subsidiaries @ Critical O Ineligible 
Other Amazon Retail Assets (if you are not sure Ba E 
Other @ Critical O Ineligible 
about the asset scope, please use this one) 
Out of Scope 
Domain https://amazongames.com/ 
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Amazon Web Services (AWS) 
Other Currently, anything related to AWS should be considered out of scope and should be reported directly 
to AWS: https://aws.amazon.com/security/vulnerability-reporting/ 


Amazon Physical Stores 


Other Amazon Go Mobile Apps, Whole Foods Apps, anything related to Physical Stores will be out-of-scope; 
submitted reports will be reviewed and addressed however are not eligible for bounty. 


Download Burp Suite Project Configuration file (33 URLs) View changes Last updated on November 9, 2021. 


Response Efficiency 


20 hrs 


Average time to first response 


2 days 


Average time to triage 


15 days 


Average time to bounty 


about 1 month 


Average time to resolution 


@ 98% of reports 


Meet response standards 


Based on last 90 days 


Program Statistics 


Updated Daily 


453 


Reports received in the last 90 days 


2 days ago 


Last report resolved 


345 
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Hackers thanked 


Top hackers 


~ 
a 


stefanofinding 
Reputation:584 





lan 
Reputation:289 





g4mb4 
ay = Reputation:245 


40826d 
Reputation:142 





paastha 
Reputation:122 





All Hackers ©) 
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